In the following thread we extracted the name value pairs from the embedded json document - How can we extract a json document within an event?
.We would like to rename some of these fields. Where can we do that?
You could always create an alias for the existing fields. Removing and renaming fields may be difficult if you have a lot of data in there
https://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Addaliasestofields
View solution in original post
Perfect @skoelpin - the alias solution makes sense.
